search

code-423n4 / 2022-01-livepeer-findings

0 stars 0 forks source link

Don't use deprecated library functions #207

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

byterocket

Vulnerability details

Impact

The _setupRole function in OpenZeppelin's AccessControl contract is marked as deprecated in favor of _grantRole. See here.

Following contracts use the deprecated _setupRole in their constructor:

arbitrum-lpt-bridge:
  - ControlledGateway.sol
  - L1/escrow/L1Escrow.sol
  - L2/gateway/L2Migrator.sol
  - token/LivepeerToken.sol
  - L1/gateway/L1Migrator.sol

Recommended Mitigation Steps

Refactor the contracts constructor's to use _grantRole instead of _setupRole.

yondonfu commented 2 years ago

Labeled as disagree with severity because we think this is a 0 - Non-critical finding since we don't see any negative impact functionally from the issue, but we do acknowledge that we should switch to a non-deprecated function.

0xleastwood commented 2 years ago

Agree, this just sounds like best practice.

yondonfu commented 2 years ago

Fixed in https://github.com/livepeer/arbitrum-lpt-bridge/commit/99322b7aef85af18bccfcce8fce30fcc04b706c9